Cybercriminals banking on finance: Mitigating escalation

When it comes to cyber attacks, no industry is safe. But according to Boston Consulting Group research, financial service firms experience up to 300 times as many cyber attacks per year compared to companies in other industries. No financial firm is ever safe, especially as cybercriminals become more determined and sophisticated in their attack methods.

The dramatic increase in attacks against the financial industry can be attributed to three factors:

1. The COVID-19 pandemic has forced many employees to work remotely, further increasing the attack surface, making them easier targets
2. Cybercrime syndicates have adopted new attack methodologies, which traditional cybersecurity controls cannot defend against
3. Cybercriminals are, in some cases, being seen as patriots by their respective nations and acting as nefarious “cyber Robin Hoods.”

Cashing in on COVID-19

According to recent data, cyber attacks against the financial sector increased by 238 percent from February to April 2020, amid the COVID-19 surge. Cybercriminals often work to exploit fear and uncertainty during major world events by launching cyber attacks, and the pandemic is no exception. In fact, notable spikes in attacks can also be correlated to key days in the COVID-19 news cycle, such as March 1, 2020 when many states in the U.S. declared COVID-19 a public health emergency. This suggests attackers are being opportunistic and leverage breaking news to take advantage of vulnerable populations.

These cyber attacks are often performed with social engineering campaigns, leveraging malicious emails that lure victims to install malware which steals financial data and other valuable personal information. Attackers have been using COVID-19 to launch phishing attacks, fake apps/maps, trojans, backdoors, crypto miners, botnets and ransomware.

This can be increasingly damaging as the pandemic has already resulted in many people losing their jobs. It’s clear the attackers are not slowing down amid the pandemic, which means understanding their behaviors has become more important than ever before.

Money is the motive: Understanding attacker tactics

Financial institutions have reported cybercriminals are becoming more sophisticated, leveraging highly targeted social engineering attacks and advanced procedures for hiding malicious activity. The criminals’ goal is to exploit weaknesses in people, processes and technology in order to infiltrate the network and gain the ability to transfer funds and withdraw sensitive data.

For example, the most popular Trojan attack recently has been Kryptik. This malware is believed to be Russian-made and is successful because of its anti-emulation, anti-debugging, and code obfuscation features, which prevent analysis and allow for persistence. And while social engineering is still very prevalent, there has been a shift away from spear phishing toward island-hopping, as attackers try to gain a foothold and then jump to additional targets.

The modern cybercriminal understands that it is more lucrative to island-hop from the bank’s environment in order to attack its customers, which is why there are a variety of island-hopping attacks seen today.

The most common attacks seen in the financial sector is reverse business email compromise. These attacks occur when a hacker successfully takes over a victim’s email server and executes fileless malware attacks against members of the organization as well as the board. This has become easier for attackers as more employees are working from home, where their network security can be more easily compromised.

Watering-hole attacks make up one in every five attacks on financial institutions. In this case, hackers target a website frequently visited by partners or customers of the organization they are trying to breach. A majority of financial institutions reported increased attempts of wire fraud transfer since 2019. These attacks are often performed by exploiting gaps in the wire transfer verification process or through social engineering attacks targeting customer service representatives and consumers directly.

Hackers aim to identify websites that a majority of people are looking to gain information from. In this case, many people are looking to financial institutions to help them through trying times, and unfortunately hackers are taking advantage of that.

Bank heist: From heists to hostage situations

Cybercriminals are escalating their attacks as they fight back to maintain persistence. If it can’t be stolen, it will be destroyed – similar to burning a house down versus robbing it. And, increasingly, destructive attacks are being leveraged as counter incident response techniques. Trust and confidence can be undermined as cybercriminals appreciate that it is more valuable to commandeer the digital transformation efforts of the financial institution than to target its customers directly.

In order to fight against these attacks, financial institutions must conduct regular cyber threat hunting exercises to root out any persistent attacker that might already be inside. A shift to an intrinsic security model must occur, one where security is built in and not bolted on to the enterprise. Security teams must integrate security controls, microsegment, employ just-in-time authentication and modernize their endpoint security controls to mitigate the modern bank heist.

As the COVID-19 battle continues, it’s clear attackers will continue to target vulnerable populations and organizations, with an eye on finance. Increased vigilance and visibility into enterprise-wide endpoint activity are more paramount than ever. Cybersecurity is now a brand protection imperative, and the trust and confidence in the safety and soundness of a financial institution will depend on it.